BUUCTF_Re_[ACTF新生赛2020]easyre
作者:互联网
有个upx的壳,脱掉后,主函数代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[12]; // [esp+12h] [ebp-2Eh] BYREF
int v5[3]; // [esp+1Eh] [ebp-22h]
char v6[5]; // [esp+2Ah] [ebp-16h] BYREF
int v7; // [esp+2Fh] [ebp-11h]
int v8; // [esp+33h] [ebp-Dh]
int v9; // [esp+37h] [ebp-9h]
char v10; // [esp+3Bh] [ebp-5h]
int i; // [esp+3Ch] [ebp-4h]
__main();
qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));
printf("Please input:");
scanf("%s", v6);
if ( v6[0] != 'A' || v6[1] != 'C' || v6[2] != 'T' || v6[3] != 'F' || v6[4] != '{' || v10 != '}' )
return 0;
v5[0] = v7;
v5[1] = v8;
v5[2] = v9;
for ( i = 0; i <= 11; ++i )
{
if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] )
return 0;
}
printf("You are correct!");
return 0;
}
重点就是在
v4[i]!=_data_start_
判断是否相等,
然后找到_data_start的值:
就是把在data里找v4
脚本:
v4="*F'\"N,\"(I?+@"
data = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"'
flag=''
for i in range(len(v4)):
flag+=chr(data.find(v4[i])+1)
print(flag)
得到:U9X_1S_W6@T?
包上flag{U9X_1S_W6@T?}
标签:BUUCTF,esp,int,easyre,char,Re,ebp,v6,v4 来源: https://www.cnblogs.com/1ucky/p/16122739.html